Further Reading

The ex-partner formally requested the medical records of his son with the woman under section 7 of the Data Protection Act (a Subject Access Request) in 2014. The GP surgery had no system in place to assess whether information should be given or what data should be withheld and so handed over the full 62-page medical file—complete with the woman’s contact details, as well as those of her parents, and an older child the man was not related to.

The Information Commissioner’s Office made the decision to fine the practice because of the very sensitive nature of the data it holds.

“Most people would be horrified to think the information they entrust to their GP was being treated with anything less than the utmost care. In this case a patient reinforced this, however her pleas went unheeded,” said the ICO’s head of enforcement, Steve Eckersley.

The woman discovered the data breach when her estranged ex filed the medical documents in a court case against her. Eckersley added, explaining the decision to impose a financial sanction:

In failing to ensure staff were properly equipped to safeguard against unauthorised disclosures, this medical practice placed a member of its team in the firing line. GPs could have protected staff by providing proper support, training and guidance. They did not do this.

Further Reading

The ICO has the power to hand out a fine of up to £500,000, but chose to impose a lower amount because the surgery’s individual owners would have been liable, and the practice has since put in place the proper procedures and worked with the regulator to resolve the situation. If it pays in full by September 8, Regal Chambers will receive a further 20 percent reduction in charges.

However Eckersley warned other companies that they should not expect the same leniency. “Most organisations would expect to receive a much larger fine,” he said.